Management Role in Information Security
Although security is a part of everyday’s technical work for all organizations, management has a pivotal role in establishing a real information security framework within an organization. Beside known management responsibilities, IT managers, and top management have to learn and deal with contemporary topics, like information security.
By de facto, all organizations implement at least, scattered parts of information security procedures that varies from registering visitor’s names on reception, running CCTV cameras, assigning security officers to guard the building (yes, it is part of information security), installing antivirus software on PCs and servers, configuring firewalls, installing SIEM solutions, to implementing advanced security policies and procedures.
I can argue that each and every normal work activity is connected somehow to a certain security procedure. But sadly, security strength is measured by the weakest part within the process. Therefore, inharmonic security practices and lack of cohesion between security procedures are a failure by itself.
Therefore, a holistic vision is needed when it comes to security, and here comes the management part.
Organization management shall:
- Adopt Basic Security Requirements
Organization management shall initiate and establish information security management structure; and shall approve work procedures and define work priorities. These tasks would be guided by studying the gap between current state and future “imagined” state of organizational security.
Security resources should be identified; usually as a result of 1- Security planning, 2- After a security breach, or 3- Based on the risk analysis findings. Plans require resources, whether it is time, staffing, hardware, software, or contracting external suppliers. When managers approve a plan, they should make the needed resources available.
Every organization has a strategic plan to document its vision, mission, values, and future goals, (or at least should have). In today’s world, security and strategic objectives are inseparable. Its manager’s role is to ensure that information security is aligned with the strategic direction of the organization; investment in security must be proportional to work plans, and work dependencies.
- Risk Mitigation Procedures
Risk analysis is usually conducted by a security team, the result of risk analysis is a matrix that defines the level of risk for each Assets within the organization. Now, what is the acceptable level of risk, and what is the affordable way to deal with this risk? Here comes the management part.
Management has to set a threshold for acceptable risk. Risk valued above that threshold has to be mitigated. Risk mitigation methods may include preparations, containment, eradication, recovery, insurance, and post-incident procedure.
The risk mitigation method has to be approved by organization management, depending on what resources are required to mitigate that risk and the expected efficiency of that method in reducing the risk.
- Enforce Implementation
Well, this role is a bit standard management one, but has to be mentioned here with this context. Once policies are approved, it is the manager’s role to enforce the implementation of those policies and work procedures. More importantly, managers have to verify the efficiency and effectiveness of these policies; and initiate enhancements when needed.
- Security Documentation
From my experience, technical teams usually show substantial resistance to develop work documentation. Managers must enforce security procedures to be documented and to be reviewed from time to time, and to make sure that work procedures match with the existing documentation.
Alternatively, managers may form a special task force to review and propose improvements to the existing process on their behalf.
- Conducting Security Audit
Security audit is a standard procedure, recommended by international organizations to be conducted periodically. There are two types of security audit, external and internal.
In internal audit, the security audit task is accomplished by a higher security team within the organization, the team usually includes: internal auditor of the organization, financial auditor, and information security auditor, led by top management. External audit is contracting a third party to accomplish this task.
Top managers are responsible to initiate the audit procedure, approve the outcome of the audit process, prioritize the improvements, and allocate resources.
The Bottom Line
A holistic vision and coordinated actions are required to achieve security outcomes, and here comes the management role; the use of information resources shall be planned, documented, organized, and monitored by organization management, and resources must be allocated to attain the expected results.
Thanks for reading. Follow to read more and Clap if you like it.